Security

The demise of Threat Management Gateway: Is Microsoft backing away from the edge?

Threat Management Gateway (TMG) has grown into a solid-edge security solution with a large installed base, yet Gartner says that Microsoft won't be shipping another full version of the product. Deb Shinder looks at initial reactions to this report -- and what may lie ahead for TMG and the companies that rely on it.

Last week, I reported in my blog over at ISAServer.org that Gartner's Magic Quadrant for Secure Web Gateway, published May 25, left Microsoft out of the matrix completely. The report explained that this was because Microsoft had informed Gartner that it wouldn't be shipping another full version of TMG (Threat Management Gateway), that the product is now in "sustaining" mode, and that the company doesn't intend to compete head-to-head with other vendors in that (the secure Web gateway/firewall) space.

TMG 2010 is part of the Microsoft Forefront family of security products and is the latest incarnation of the software formerly known as ISA Server, which itself evolved out of Microsoft's Proxy Server. TMG provides advanced stateful packet and application layer inspection (firewall) services, VPN services, and Web caching.

I have a special affinity for TMG because my husband, Tom Shinder, and I specialized in Proxy Server/ISA Server early in our IT careers. We wrote several books and many articles about the products and have been involved with the ISAServer.org Web site for more than 10 years. When Tom left to become a Microsoft employee in 2009, I took over his lead author role there. Thus, to me, TMG isn't just any old Microsoft Server -- it's been a big part of my life and my career.

Say it isn't so

The news of TMG's apparent impending demise came as a shock to many customers who have deployed or have been planning deployments of TMG, to consultants who specialize in or work with TMG, to partner companies that make TMG-based appliances, and to Microsoft Forefront MVPs. In fact, I received many responses to my post, and most were along the lines of "Gartner must be mistaken" or "Maybe you're interpreting this wrong." A few even seemed to blame me for pointing out what the Gartner report said.

Those initial reactions weren't at all surprising. In my life before IT, I was a police officer, and delivering death notifications was always one of the most unpleasant aspects of the job. We all know that the first stage of grief is denial, and the second stage, anger, often comes soon after. While some were protesting that it couldn't possibly be true, others were composing lovely eulogies. Forefront MVP Richard Hicks said, "The demise of TMG most certainly must be for reasons other than the viability of the product. The level of protection provided by TMG is unrivaled, in my opinion, by any other firewall or proxy on the market today."

In fact, that's what made Gartner's bold statement so difficult to swallow for those who have been working with TMG. Through various versions and name changes, the product has matured into a solid-edge security solution that has attracted a fiercely loyal following. At the MVP Summits I've attended, the Forefront MVPs have always been some of the most enthusiastic about their product and the most engaged with their product groups and with each other. The TechGenix-sponsored ISAServer.org Web site has remained popular, with an active core membership.

Handwriting on the wall?

Some of the people who wrote to me about my blog post were understandably upset, not just about the news itself, but by the fact that they were first hearing about it from Gartner rather than from Microsoft. If TMG is indeed now to be considered in sustaining mode, if no future versions are planned, why has there been nothing about this in the Product Team Blog? Why were partners, MVPs, and others whose livelihood is tied up with the product not told? One likened the feeling to the experience of having a loved one go into the hospital to have a wart removed and then getting a phone call telling you that the person died during the procedure.

Others, though, noted that the signs may have been there for a while. At the TechEd 2011 conference in Atlanta in mid-May, there were no sessions on TMG. There have been grumblings from TMG resellers about the lack of a roadmap for TMG. Some pointed to the "killing" of other products, such as Forefront Protection Manager and Windows Essential Business Server (EBS). And then there were the personnel moves. Sure, Microsoft is always reorganizing, but a few folks noted that maybe the departure of key members of the TMG team, along with the fact that some of the Microsoft employees who had been most active in the TMG community have recently moved to other jobs within the company, should have been an indication that all was not well with TMG.

Gone to heaven -- or to the cloud?

As a matter of fact, it seems many of those employees who have moved from TMG are now working in cloud-based products and services. After all, that's where the action is at Microsoft these days. Some see the current push to cloud computing -- by Microsoft and other major players in the tech industry -- as something that will bring about the "end of the edge." They say that would negate the need for firewalls -- or at least, network-based firewalls that protect the LAN from the "outside." When the Internet serves the purpose formerly reserved for the local network (storage of your data, delivery of your applications), most security will need to be host-based. Deperimeterization is a concept that's been talked about in IT for years. The term was made famous by the Jericho forum, a group dedicated to "boundaryless information flow" within and between enterprises. Obviously, if the (fire)walls all come tumbling down, TMG will become less relevant.

On the other hand, Microsoft's cloud focus has also caused some speculation that perhaps TMG isn't really going away after all but will instead morph into a "cloudified" security product (maybe with yet another new name). Richard Hicks explains this view: "...Some have suggested that the importance of TMG is being diminished in a cloud-based world. I would disagree completely. In my opinion, it is even more important to have TMG! Perhaps TMG should be renamed CAG (Cloud Access Gateway). It provides secure, reliable access to cloud-based apps while still providing excellent protection for on-premises users, protecting them from web-based threats and maintaining productivity as well. It can inspect encrypted communication, which will be essential for monitoring and protecting communication with the cloud. It is also an excellent place to enforce DLP policies."

Life after death?

Yet another possibility I've seen mentioned is that TMG's functionalities will be rolled into the next version of Windows Server. You would be able to set your Windows Server up to perform the threat management gateway role, just as you can configure it with the DNS Server role or the Active Directory domain controller role.

Now that idea might be a bit more palatable to customers, as Microsoft could sell it as giving you TMG "for free" instead of making you buy a whole separate product to get it (similarly to the way terminal services -- now Remote Desktop Services -- got rolled into most versions of Windows Server after having originally been included only in the special Terminal Services Edition of NT). This could also be in keeping with the idea that host-based firewalls will become more important and network/edge firewalls less so.

Then there's the possibility that the reports of TMG's death, like those of Mark Twain's, have been greatly exaggerated. According to blogger Kent Nordstrom, unnamed sources "within Microsoft" have issued a statement that starts out on a positive note by assuring us that "Microsoft is still in the SWG business despite Gartner's opinion." However, if you read through the whole thing a couple of times, you notice that it really doesn't say much beyond the fact that TMG will continue to be supported with updates throughout the product's life cycle. The issue of whether there will be future versions is not addressed.

Nordstrom speculates that Microsoft will combine TMG with its Unified Access Gateway (UAG). TMG aficionados have been debating that idea for years. Microsoft was already positioning UAG as the preferred solution for filtering inbound access to internal resources, and UAG includes the TMG engine but doesn't support outbound access. If Microsoft drops TMG, rolls its functions into UAG, and makes UAG its "one and only," some customers are not going to be happy campers, especially small businesses on a budget that use TMG. Many TMG fans aren't crazy about UAG's interface -- they find it more clunky and less user-friendly -- but that's not all. The big problem is that UAG (which was designed with the enterprise in mind) is more expensive than TMG and is overkill if you just want to publish your Web servers, SharePoint, and Exchange servers to the Internet. Of course, in an all-cloud world, you wouldn't have any internal servers to publish, since you would buy those as hosted services.

Where does that leave us?

What if we assume a worst-case scenario, that TMG has been relegated to IT purgatory where products languish in limbo after innovation and development stops until their DLC runs out? Even in such a dire case, I think it's important to realize that doesn't mean those partners, third-party developers, MVPs, and Web sites dedicated to TMG will suddenly become obsolete. In fact, if Microsoft did kill the product today, those external resources would become even more important.

TMG (and its predecessor, ISA Server) still has a significant installed base, and those companies aren't all going to dump it just because they hear that Microsoft isn't going to ship a new version in the future. They will still need support, add-ons, documentation, etc. If Microsoft provides less of it, that will create an opportunity for those outside the company to provide more.

With no official word and no roadmap from Microsoft, it's impossible for anyone to say with authority what the future holds for TMG. What I do know is that human beings hate uncertainty. They prefer dealing with bad news to worrying that bad news might be on the way. Now that Gartner has unleashed this tempest, I think it would be smart to let the public know, one way or the other, whether TMG is terminally ill and on life support or just undergoing cosmetic surgery from which it will emerge prettier than before.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

10 comments
ElWayno
ElWayno

We are on of those companies (medium size) using TMG and we have no choice but start looking for alternatives. Technology wise there are a lot f them. But they are all much more expensive.

hwangeruk
hwangeruk

@MikeW200 You paint the picture MS kind of drop a ball and go place elsewhere. Or another sport. You're persoalising, and emoting about a decision they have made on their strategy. And to be honest, I kind of agree with them. Even though I am left a little wondered what I will do with our Celestix boxes. Anyone wrestling with VDi, BYOD and SaaS are all contemplating what broader device choice, and greater mobility will mean to company networks. I am of the opinion it will mean more raw Internet access with some management, but largely an unblocked access straight to the cloud. Server 2012 is fantasic! Your hate of Metro is misguided, as your MO is not to use a server as desktop - only to get the job done. And boy is Server 2012 fast, tight and solid. Try running it on a Hypervisor. Oh and Microsoft have not decided Tablet is the future, they have seen that TOUCH is the future. And it is. Soon after that it will be wearble, then finally natural language input. Metro does work very well on Desktop, notebook and tablet as I use it on them all. (And from the timing of your opinion it was unlikely you tried RTM, nor used it for your primary machine before opining) I actually think the contrary, Microsoft are moving faster and ditching legacy faster - and they certainly needed to do that to survice against the rise of Apple. Don't forget Win8 Server2012 is more about WinRT (the API) than about the front face you are complaining about. In the long run, the new core, the consistent UI across all device types will work (as will touch) and all this Metro whining will be a distant memory (just as whining about the Start Orb is/was. Yeah, I remember the belly aching then) More than anything, this should be an indication that the cloud, HTML5 for LOBs and 4G are in our future. Edge firewalling is going to be legacy and we need to adapt to that. No point complaining, its coming.

MikeW200
MikeW200

This seems to me to be yet another example of Microsoft deciding to concentrate on something (here, Cloud) and to stop providing updated products for people who don't share their opionion (here people wanted to do their - safe - computing themselves). The same thing is happening with Windows. Windows 8 isn't suitable for normal desktops? It doesn't matter because Microsoft have decided that the future is tablets. Even Windows Server 2012 is an abomination to use these days because for no good reason at all it's acquired a (formerly known as) "Metro" interface. Again Microsoft has decided that this kind of interface is best and is forcing it on everyone. A final example. You used to be able to use SharePoint Designer to tweak the look of sites without necessarily going to the code (and if you went to the code you could do it in split view so you could see the results before saving your changes). Not any more. Microsoft have decided their new SharePoint has so good a look there will be no need to change it. (Except that is in a big way via code!). You can't help but feel that with Gates gone, reality has flown out of the window and the inherent arrogance that has always been Microsoft has gone into warp speed. "If you don't like the way we have decided that you need to do things, tough." seems to be the current message.

cesisson
cesisson

I am curious about UAG and Direct Access. Will components be part of next version of Windows Server? I don't want to invest money in the components now, if they will be included "free" in the next server OS.

waldo21a
waldo21a

Any updates on the direction MS is going ??

ederkley
ederkley

The big question for us is if we bother renewing software assurance each year with no prospect of an upgrade...it's a few thousand dollars per server that could probably be spent better elsewhere...

zloeber
zloeber

Perhaps they are just going to take the next iteration of UAG (which pretty much just sits on top of TMG) and combine it with TMG entirely. You have to admit that the nuances of each product lend themselves towards this kind of evolution. The fine line between TMG vs. UAG inbound/outbound proxy purposes are so fine that in many cases either software can be utilized to implement a solution.

rduncan
rduncan

Well I can't say I'm that surprised- it's actually a good server though! - we are going with MS edge services this year for proxy and mail security FF TMG 2010 and FF TMG for Exchange 2010. the ISAserver.org website has been a great rescourse for ISA 2004 and 2006 down the years so thanks very much for that. I guess it's a bit of a Windows phone 7 senario- not enough market penetration after so many attempts

coetsera
coetsera

I asked my MS Rep the question and they said that they have not heard anything yet.

Editor's Picks